Windows 10 Version 1607 driver signing changes
Microsoft announced recently that the upcoming version 1607 of Windows 10, known as the Anniversary Update, will only load kernel mode drivers that are digitally signed by Microsoft.
The change won't affect all systems however the company notes, as only new installations are affected in the beginning.
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal.
The list of exceptions to the new policy is long. Below is the most important information in regards to the new kernel mode drivers policy:
- PCs upgraded to Windows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
- PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
- All drivers signed with cross-signing certificates that were issued prior to July 29, 2015 will continue to work.
- Boot drivers won't be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant however.
- The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.
Microsoft notes that the change is done to make Windows more secure for end-users.
We’re making these changes to help make Windows more secure. These changes limit the risk of an end-user system being compromised by malicious driver software.
While the company states that certain setups won't be affected by the change, it appears that at least some of these exceptions will only be temporary.
As mentioned previously, boot drivers won't be blocked outright according to Microsoft. The company states however that Windows will eventually block boot drivers.
Microsoft mentions further that it "starts with" new installations of Windows 10 which suggests that it plans to remove some or even all of the exceptions in the future.
Impact
Kernel mode drivers are used by various programs on Windows. The list includes various security and backup programs, or VPN applications to name a few.
Any kernel mode driver not signed by Microsoft won't run anymore on new installations of Windows provided that the exceptions listed above don't apply.
This in turn makes the program non-functioning that relies on the driver.
While Windows 10 users may be affected by the change, so are developers. Companies may have enough funds to get the required certificates to get their drivers signed by Microsoft, but the same may not be true for hobby programmers or one-man teams.
The move will limit malicious kernel mode drivers on the other hand as well.
Now You: What is your take on the change?
I reset Windows 10 on my laptop after the 1607 update as I was having some weird problems occurring. I tried to install Comodo firewall again after the Reset, but Program Compatability Assistant said its drivers aren’t digitally signed, hence blocking them and not allowing internet traffic through the Comodo Firewall even though the installation goes ahead.
Googled it and tried a few things including disabling the Program Compatability Assistant service and turning off the digital driver checking in troubleshooter at bootup. Both didn’t work.
Going to try this ‘Secure Boot Off’ tomorrow as a final attempt on my laptop at work. Will let you know if successful.
Driver signing changes link:-
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
IT WORKED! Comodo Firewall now installs and works as before.
Thank you for the tip.
I reset my laptop after the 1607 update as I was having some weird problems occurring. I tried to install Comodo firewall after the Reset again, but Program Compatability Assistant said its drivers aren’t digitally signed, hence blocking them and not allowing internet traffic through the Comodo Firewall even though the installation goes ahead.
Googled it and tried a few things including disabling the Program Compatability Assistant service and turning off the digital driver checking in troubleshooter at bootup. Both didn’t work. Contacted Comodo help and they said they could fix it but I would have to pay for the GeekBuddy licence.
Going to try this tomorrow as a final attempt on my laptop at work. The 1607 update to Windows 10 I think has caused this I believe. See link about it below….
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
Yea… but again, good-bye Secure Boot.
I had to restore back to version 1511 as my Wi-Fi was going on/off.
I like some of the new up dates, but this was only the laptop that Microsoft update to ver 1607.
The restore took less then 5 minutes.
Solution: switch to Linux. Worked for me :)
Will M$ abuse this “new feature” of Win 10 1607 to eliminate competition to their own Windows Defender AV, Bing search, Edge browser, inbuilt back-up/disk-cleanup/defrag programs, Windows games, etc, … similar to the Windows Store being likely abused by M$ to limit the installation of some 3rd-party software.
Do Win 10 cptrs belong to the users or to M$.?
…….Bear in mind that M$ may trigger any change they wish wrt this “new feature”. Seems M$ r treating all their customers as Dummies n need to be protected from themselves, …….similar to the patronizing liberals of the Nanny Blue States.
HitMan pro and IDM pro (as time of writing are affected) just enable secure boot and then just try to install it and you will get the ‘can’t install necessary driver’ popup. But Bcdedit.exe -set TESTSIGNING OFF still does the trick (but you need now to turn secure boot off for this). Sadly it’s not like 7 anymore if you re-enable it after the driver are been sucessfully installed then it blocks it again after the reboot. So you have that annoying watermark (of course you can disable it) but overall I hope we will get updates asap for this, because the security aspect is broken with such ‘workarounds’.
Thanks for the above mentioned trick, will try it. :)
What is the best way to find out if you are using kernel mode drivers that won’t pass muster?
http://betanews.com/2012/05/02/when-windows-goes-wrong-try-kernel-mode-drivers-manager/
Run NTKMDM. Go to Options and select ‘Hide Microsoft Drivers’. Right-click on the remaining entries one at a time and select ‘Verify File Signature’. It will tell you who signed it (normally the company that wrote it).
Thank you, thank you, thank you!
Woaw, does that mean that VPN clients, that are often based on OpenVPN, will probably not work on new OS install?
Don’t enable secure boot.
I don’t understand.. Can I still use some chinese gamepad even if the driver does not have Microsoft sign?
As long as it is not a kernel mode driver yes.
I like it. With the open environment that is Windows, you have to keep it secured it ways that a closed environment does not need to be. This adds to the many reasons PC sales are going to increase again.
“PC sales are going to increase again”
PC sales are never going to increase again, not after the “boost in sales” of Windows 10 fiasco.
Yup. As it is there’s nothing stopping malicious actors from using ill-gotten private keys to sign kernel-mode malware, which would give them the ability to silently have free reign of the entire system, including bypassing security mechanisms in place. The users would be completely unaware as the malware would be running with the highest level of permissions on the machine possible, Ring 0, I.E. With the same or higher permissions than any security software they have installed to protect them. That means malware would have the ability to bypass those mechanisms and remain unnoticed and undetected covering it’s tracks doing pretty much anything it wants to do.
So, I welcome the move. I read this as an additional layer of protection due to signed kernel-mode malware becoming more prevalent.
If a malicious actor can install a driver he already has all the privileges he needs to “have free reign of the entire system”.
“PCs without Secure Boot functionality, or Secure Boot off, are not affected either.”
More like “Restrict my access to my computer” feature. Any sane person figured out by now that they should disable this anyway. Assuming their sanity is still present after they figured this out. Few years ago, after a couple of hours of constant failure attempts and cursing while trying to install 7 on a laptop that came with 8, I found about that option on the internet. Just disable it.
If you’re an IT Professional, God help any company you work for. While you’re at it why don’t you disable antivirus because it slows down your computer or turn off UAC because the prompts are “annoying”. Moron.
That’s only true if it’s your personal system. Any computer on a corporate network better have it on or there’ll be hell to pay when the system is compromised.
@Yuliya said “Any sane person figured out by now that they should disable this [Secure Boot] anyway”
Uhm, no.
we only disable this to do imaging and after it’s all setup and ready to deploy to user it gets enabled. we don’t like our users mucking up things, they just need to do their work and not install crap. we’ve already installed all the crap they need to do their jobs and just maybe they get paid for working.
Uhm, yes.